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Abstract 


A formal model for the study of on-line diagnosis is 
introduced and used to investigate the diagnosis of unre- 
stricted faults. Within this model a fault of a system S is 
considered to be a transformation of S into another system S' 
at some time t. The resulting faulty system is taken to be 
the system which looks like S up to time x and like S' there- 
after. Notions of fault tolerance and error are defined in terms 
of the resulting system being able to mimic some desired be- 
havior as specified by a system S. A notion of on-line 
diagnosis is formulated which involves an external detector 
and a maximum time delay within which every error caused by a 
fault in a prescribed set must be detected. 

The set of unrestricted faults of a system is defined to 
be simply the set of all faults of that system. It is shown 
that if a system is on-line diagnosable for the unrestricted 
set of faults then the detector is at least as complex, in 
terms of state set size, as the specification. Moreover, this 
is true even if an arbitrarily large delay is allowed in the 
diagnosis. The use of inverse systems for the diagnosis of 
unrestricted faults is considered. A partial characterization 
of those inverses which can be used for unrestricted fault 
diagnosis is obtained. 
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I . INTRODUCTION 

In many applications, especially those in which a computer 
is being used to control some process in real-time, (e.g., 
telephone switching, flight control of an aircraft or space- 
craft, etc.) it is desirable to constantly monitor the perfor- 
mance of the system, as it is being used, to determine whether 
the actual system is within tolerance of the intended system. 
Informally, by "on-line diagnosis" we mean a monitoring process 
of this type where the extent of the diagnosis depends on the 
meaning of "within tolerance." Thus, for example, if being 
within tolerance means having the same input-output behavior , 
thdn on-line diagnosis becomes on-line "detection. " In the 
special case where the implementation of on-line diagnosis is 
completely internal to the system being diagnosed, it is referred 
to as "self diagnosis" or "self checking." 

The incorporation of special hardware for the purpose of 
on-line diagnosis dates way back to the- relay computers developed 
by Bell Laboratories in the early-to-mid 1940's, where biquinary 
codes were used to dynamically check the operation of the 
computer II] • A more general look at codes for checking logical 
operations was first taken by Peterson and Rabin in 1959 [2] 
where they showed that combinational circuits can vary greatly 
in their inherent on-line diagnosability . The use of coding 
techniques in the design of self-checking circuits was further 
explored by Carter and Schneider in 1968 [3] and by Anderson 

in 1971 [4] . In addition, a number of special on-line diagnosis 
methods have been considered which apply to specific hardware 
subsystems such as adders, counters, etc. (see [5], for example). 

Given this background of techniques that have been proposed 
and* in many cases, used to improve the on-line diagnosability 
of a system, the following question arises quite naturally. 

With regard to any technique that might be employed, how complex 
must the diagnosing system be as compared to the system being 
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diagnosed, if the latter is to be on-line diagnosable in some 
prescribed sense? To answer this question, one must, of 
course, designate the class of systems considered, the complexity 
measure, and the precise meaning of on-line diagnosis. In a 
first attempt, it appears reasonable to make these devices as 
general as possible in order to establish a framework for more 
incisive results that might follow. 

Specifically, the systems we have chosen to consider are 
those which are representable as "discrete-time" systems 
when subjected to transient or permanent faults. Such systems 
are generalizations of sequential machines and permit structure 
to vary as faults occur. As a measure of system complexity, 
we have chosen the number of reachable internal states. This 
measure reflects the memory capacity of a system and, without 
further restrictions on system structure, it's the only measure 
of structural complexity that has a reasonable interpretation. 
Finally, the concept of on-line diagnosis considered requires 
that any error caused by a fault be detected within some 
maximum allowable time delay. 

Section II of the paper is concerned with the formal 
development of the notion of a discrete-time system and the 
associated concepts of fault, result of a fault, and error. 
Section III formalizes the above concept of on-line diagnosis 
and establishes an answer to the question posed above; namely, 
if no restrictions are placed on the potential faults of a 
system S, then the complexity of a detector D must be at least 
as great as that of S. Moreover, this result holds even when 
the allowed time delay for error detection is arbitrarily large . 

Section IV considers the on-line diagnosis of unrestricted faults 
for systems which have (delayed) inverses, that is, systems 
which are information lossless. Here it is shown that an in- 
verse system can always be used for on-line diagnosis if it too 
is information lossless. . Although the lossless condition is 
sufficient, it is shown further that there exist systems for 
which a lossy inverse can also be used for on-line 
diagnosis. 
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II. FAULTS AND ERRORS IN DISCRETE-TIME SYSTEMS 

..Informally, a discrete-time system is a causal, deter-, 
ministic, finite-state system to which inputs {from a finite 
set) are applied at discrete instants of time and from which 
states and outputs (from a finite set) are observed at discrete 
instants of time. If, in addition, specific inputs are desig- 
nated as "reset" inputs (used to initialize the system), then 
discrete time systems can be formally defined as follows. 

Definition 1 : Relative to the time-base T = { -1,0,1, ), 

a ( resettable ) discrete-time system (with finite input, output, 
and reset alphabets) is a system 


S = (I,Q,Z,6,X,R,p) 


where 


I is a finite nonempty set, the input alphabet 
Q is a finite nonempty set, the state set 
Z is a finite nonempty set, the output alph abet 
6: QxlxT — > Q, the transition function 

X: QxlxT > Z, the output function 

R is a finite nonempty set, the reset alphabet 
p: R*T > Q, the reset function . 

The first five elements, I, Q, Z, 6, and X, of a discrete- 
time system are the usual elements of a sequential machine but 
with 6 and X generalized to account for possible variation of 
structure with time. The action of a reset r e R is described 
by p, the reset function, with the interpretation that if reset 
^ is applied at time t — 1 then the system will be in state 
p(r,t) at time t. In the special case where S is time- invariant 
we will adopt the usual terminology by referring to S as a 
(resettable) sequential machine . 
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A particular discrete-time system can be viewed as 
a system which looks like some sequential machine in one 
time interval, like S 2 in another interval, and so on (see 
Fig. 1) . Assuming familiarity with the concept of a sequen- 
tial machine, with this view the more general concept of 
discrete-time system is easily understood. Moreover, as will 
be observed in the discussion that follows, discrete-time 
systems suffice to represent the structure and behavior of both 
"fault-free" and "faulty" digital systems in an on-line diag- 
nosis environment. 

Formulation of an appropriate notion of behavior for 
discrete-time systems follows directly from the usual behavioral 
notions that have been considered for sequential machines. 
Informally, if S is a discrete-time system, the behavior of 
S for a reset r applied at time t is a function which maps an 
input sequence x into the last output symbol that S would emit 
given that it received x under the above conditions. More 
formally, the behavior of S for (initial) condition (r,t) 

(r e R, t e T) is the function 



where 

+(x) = X(p (r,t) , x,t) (2.1) 


(A denotes the natural extension of X to Q*i + xT.) The natural 
extension of 6 *. to sequences is denoted by B . , that is, 

i r f t: if t 


B r,t J 1 


where 


B r,t (a l a 2* * * a n ) 


B r,t (a l ) B r,t (a l a 2 ) ** ‘ B r,t (a l a 2* * * a n } 
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It will also be convenient to define the behavior of S 
in state q , that is, the function 

I + xT > Z 

where 

&q(x,t) = T(q,x,t). 

Given a discrete-time system S, the reachable part of S 
is the set 

p = {q e Q | q = 6 (p (r ,t) ,x, t) for some r e R,t e T, and x e I*}. 

(X denotes the natural extension of 6 to Qxl*xT.) S is reachable 

if P = Q. S is reduced if for all q,q' e P, Bg = 3^, implies 

q = q'. Concepts of simulation and realization that have been 

considered for sequential machines (see [6], for example) also 

extend easily to discrete-time systems. In particular, given 

~ + + 

two systems S and S, S realizes S under (g,h,k) if g: (I) > I 

is a semigroup homomorphism such that g'(l)cl, h: R > R, and 

k: Z' > Z where Z'<tZ such that for all ? e R, and t e T 



k ° 6 h(J),t‘ , 9 


( 2 . 2 ) 


(where o denotes left composition of functions) . A pictorial 
representation of this notion is given in Fig. 2. A realization 
concept is quite useful when considering questions of diagnos- 
ability, for one often begins with a system specification S which 
describes what the user wants but is not diagnosable. The 
solution is to find another system S which is diagnosable and 
can realize the behavior of S via the input encoding map g, the 
reset encoding map h, and the output decoding map k. 
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Given some discrete-time system S, let us now consider 
how faults effect changes in system structure. In general, if 
a fault occurs at some time x, S will be transformed into some 
other system S’ and if S is in state q just before t then S' 
is in state q' just after t. More formally, a fault of S is a 
triple f = (S' , t , 0 ) where S' has the same input, output, and 

reset alphabets as S, x e T, and 9 : Q — > Q'. The restriction 

.• •• 

on the input, output, and reset alphabets is reasonable since 

after the fault occurs the system will presumably have the 

same external terminals. The function 0 describes the state transitions 

that result when the fault occurs. Note that the interpretation 

of fault here is one of effect, not cause. Thus, for . 

example, if S represents a switching network and some gate 

output j becomes stuck-at- 1 at time x, the fault is represented 

by the triple f = (S',x,0) where S’. represents the network, 

as modified by a constant 1 at output j , and 9 describes how 

this change affects the next state. 

Given this interpretation, a formulation of the resulting 
faulty system is straightforward. More precisely. 

Definition 2 : If f = (S',x,9) is a fault of S, the result of f 

is the system 

S f = (I,Q f ,Z,6 f ,X f ,R,p f ) 

where 

Q f = QUQ' 

{ 6(q,a,t) if q e Q and t < x - 1 
0 (6 (q,a, t) ) if q e Q and t = x - 1 
6' (q,a,t) if q e Q* and t >_ x 
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( X (q,a, t) if q e Q and t < t 
X' (q, a,t) if q e Q' and t ^ x 

{ p (r, t) if t < x 
6 (p (r,t) ) if t = x 
p ' (r, t) if t > x 

(Arguments riot specified in the above definitions may be 
assigned arbitrary values.) A pictorial view of the result of 
f is presented in Fig. 3. 

Given the result of some fault f, the behav.ior of S 
for initial condition (r,t) {see (2.1)) can be conveniently 
formulated as follows. 

Theorem 1: Let S be a system and let f — (S',x,0) be a fault of S 

_ + 

Then for each r e R, t e T, and x e I 


X f (q,a,t) 


P f (r,t) 


6 r , fc (x) if t + - T 


B r,t (x) = \ 


6 0(6(p(r,t) ,y, t) ) 


0' (x) if t > x 

i / U 


(z,x) if t+ 1 x | > x and t£x where 
x=yz and | y 1 = x - t 


(|x| denotes the length of sequence x. ) 


The proof of Theorem 1 is a straightforward application 
of the general definition of behavior (2.1) to the faulty 
system S f given by Definition 2. Its utility is that it provides 
a formal means for comparing the behavior of a faulty system S 
to that of the fault-free system S or to that of some original 
specification S. In particular, we want to determine whether 
the behavior of S f is "within tolerance" of the specification 
i. The latter concept can be formalized as follows. 



- 8 - 


Let i be a reduced, reachable specification of a time- 
invariant, discrete-time system (i.e., S is a sequential 
machine) and let S be a sequential machine that realizes S 
under the functions (g,h,k) . (Our development at this point 
could be generalized to include time-varying systems. However 
it seems reasonable to assume that the specification and 
desired fault- free realization are time-invariant.) We can 
assume further that g and h are onto since the only input and 
reset symbols of concern in the realization S are those which 
correspond to inputs and resets of S. Also, since S and S 
are time-invariant, it suffices to describe their behaviors 
for resets at time 0. Accordingly, we will let 8 r and B r 

denote the behaviors 3 and 3 , respectively. 

^ §0 f ^ 

Given the above assumptions, we will say that a faulty 
£ 

system S is "within tolerance" of S or alternatively, that 
the fault f is "tolerated" if , behavioral ly-, S f relates to S 
in the same way that S relates to S. In other words, behavior 
ally, S and S f can accomplish the same thing relative to S. 
(Note that although S is presumed time-invariant, in general, 
S f will not be.) More formally, if f is a fault of machine S, 
then f is tolerated if, for all r e R, 


h = ko6 hU)°9 • 

Alternatively, since g and h are onto, it follows that f is 
tolerated if and only if, for all r e R, 

k*3 r = . 

A fault which is not tolerated is capable of causing 
"errors" in the following sense. If r e R, x s I and y e Z 
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such that [ x | = |y|, the triple (r,x,y) is an error if. 


k(3 r (x) ) f k(y) 


where k denotes the homomorphic extension of k to Z , In 
particular, if f is a fault, an error (r,x,y) is caused by f 

if 


6^(x) = y 


that is, for reset r and input sequence x, S f produces an output 
that is in error relative to S. It follows immediately from 
the definition that a fault f is tolerated if and only if no 
errors are caused by f. Finally, since we will be interested 
in the time when an error first occurs, we will say that an 
error (r,ua,vb) (where reR; u, v e I ; a,bel) is minima l 
if (r ,u,v) is not an error. 


III. ON-LINE DIAGNOSIS 

With respect to the concepts of fault and error developed 
in the preceding section, let us now consider what we might 
mean -by "on-line diagnosis." Let (S,F) be the machine S along 
with the prescribed set of faults F of S. Let D be another 
machine with the same reset alphabet as S and with input set 
2xi and let n be a nonnegative integer. Then 
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Definition 3: (S,F) is (D,n) -diagnosable if 

(i) B^([3 r (x), x] ) = 0 for all r e R and x e I + and 

{ii) if (r,x,y) is a minimal error caused by some f e F 
then 

££ ( [B^ (xw) , xw] ) ? O'! xW f for all w e i* with | w| = n. 

(If u = z,z,...2 e z + and v = a,a_...a e I + then [u,vj 

“ ri 1 2 IX 

denotes the sequence (z^, a^) (z^ r a 2 ) • * . ( z n ' a n> e x D • ) 

Thus, the detector D observes the operation of (see Fig. 4) 
and must make a decision, based on this observation, as to whether an 
error has occurred. Note that the fault-free realizatxon S 
and the detector are both time-invariant (i.e., machines), 
and that the detector takes no part in the computation of S’s 
output. The two conditions of the above definition can be para- 
phrased as: 

(i) D responds negatively if no fault occurs, i.e., D gives 
no false alarms; and 

(ii) for all f e F, D responds positively within n time steps 
of the occurrence of the first error caused by f. 

Given this concept of on-line diagnosability , the investiga- 
tion that follows will be concerned with the general case in which 
the set of potential faults is "unrestricted." More precisely, the 
set of unrestricted faults of machine S, denoted by U, is the set 
U = { f j f is a fault of S}. Note that this set of faults is truly 
unrestricted for it is precisely the set of all possible faults of 
the machine being diagnosed. 

Aside from representing a "worst-case" fault environment, 
there are certain practical reasons for considering 0, at least 
at the outset. In particular, as the scale of integrated circuit 
technology becomes larger, it becomes more difficult to postulate 
a suitably restricted class of faults such as the class of all 
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"stuck-at" faults. Moreover, although other failure models such 
as bridging failures have been proposed and studied (see [7] and 
[8J for example) , little is known about the diagnosis of such 
failures. In addition, intermittent and multiple failures are 
also possible and are even more difficult to model. Finally, for 
a given failure it may be impossible to determine the 6 function 
of the fault caused by this failure. Thus fault sets which do 
not restrict the fault mapping 0 are advantageous. 

One important property of the set of unrestricted faults is 
the relation between this fault set and the set of errors that 
may be caused by faults in this set. Given any r eR, x e I + , and 
y e Z with |x| = |yj, there is a fault f e U such that 8 r (x) = y- 
Therefore faults in U can cause any possible erroneous behavior, 
and for (S,U) to be (D ,n) -diagnosable all of these possible 
erroneous behaviors will have to be detected by D. Due to the 

f 

above observation it is clear that the output of S (the system 
actually being observed by the detector) can give no information 
about what the correct output should be. 

It is a well known and obvious fact that if a system is 
duplicated and both copies are run in parallel with the same 
inputs, then, by dynamically comparing the outputs on the two 
copies, any error which does not appear simultaneously in both 
copies will be immediately detected. Our view of duplication 
is shown in Fig. 5. In this figure the detector D consists of 
a copy of S along with a generalized Exclusive-OR gate whose 
output is 0 if and only if its inputs are identical. Given such 
a detector D, it is immediately clear that (S,U) is (D,0) -diagnosable 
It is also clear that by using suitable encoding and decoding 
functions, unrestricted fault diagnosis can be achieved by comparing 
the output of S with that of its reduced and reachable specifica- 
tion S. 
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An interesting question, the answer to which would tell 
us something fundamental about the diagnosis of unrestricted 
faults, is whether or not it is possible to do better than 
duplication in the sense of achieving (D,n) -diagnosis of 
(S,U) with a detector D which is less complex', in terms of 
state set size, than the specification S. One reason to believe 
that this may be possible is the observation that if S has an 
inverse then this inverse may have fewer states than S and 
yet a detector constructed using this inverse may be capable 
of diagnosing the set of unrestricted faults of S (see Example 1) . 
However, the following result shows that for n = 0 it is impos- 
sible to do any better than duplication in the sense described 
above. First we state a simple lemma which is an immediate con- 
sequence of the definition of realization (2.2). 

Lemma 1: Let S and S be two machines such that S realizes 

■v -V- 

S under the triple (g,h,k) and S is reduced and reachable. 

Then there exists a 1-1 function a from Q into P such that 
for all q e Q, B = k°B a(q )°g- 

Applying this lemma, we obtain the following basic result. 

Theorem 2 ; If (S,U) is (D , 0) -diagnosable , then the detector 
D has at least as many states as the specification S of S. 

Proof : Let (S,U) be (D, 0) -diagnosable and assume, to the 

contrary, that j Q D i < |q|. By the above lemma, there are I Q [ 

states in P, the reachable part of S, which all mimic different 
states of S. Referring to Fig. 4, since |q d | < |q[ there must 
exist states q^, q 2 e P and s e Q D such that koB f k ° B q 2 ' and 

it is possible for S to be in q^ or q 2 while D is in s. Since 
koB ^ koB , there exists a sequence ua where u e I* and 
a e I such that k(B q (ua)) j* k(B q (ua) ) and if u ^ A then 

k(B (u) ) = k <B (u) ) . Since it is possible for S to be in q 
q l q 2 + 

while D is in s, there exists e R and x 1 e I such that 

x-^ = q and 6 D (p D (r 1 ), x-^ ) = s. 
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Recall that given any r e R, x e I + , and y e Z + with 

|x| = |y|, there is a fault f e U such that B^( x ) = Y* Let 

f e U be a fault for which B^ (x-.ua) = 3 (x. ) B (ua) . Since it 

_ *1 1 r l 1 q 2 

is known that k(B (u) ) = k(S (u) ) , it follows that 

q i. q 2 * 

(r, r x,ua,B (x,ua) ) is a minimal error. Now (S,U) is (D,0)- 

diagnosable implies & U ( [3 r ,x^ua]) ^ O' . Since no 

1 X 1x1 

false alarms may occur, 3^ (3 r ^ ; ( x ^) / X ^J ) = 0 ^ . Also, since 

it is possible for S to be in q 2 while D is in s. 


B°( [B (ua) , ua] ) = 0 ' ua 
s q 2 


But 


^ n ~ 


B^ ( [B^ (x. ua),(x. ua]) = B^ ([B (x. ) B (ua) ,x.ua] ) 

r l r l l 1 r l r l x q 2 L 


= B D ( [B (x..) ,x. ])§!?( [$ (ua) ,ua] )’ 
r l r l x i s q 2 


= .. 0 1 1 ! 0 1 


= 0 


x^ua 


This contradicts the assumption that (S,U) is (D,n) -diagnosable. 
.Therefore | Q q j _> |q|, thus completing the proof. 

Suppose now that we allow some arbitrary, but fixed, 
n > 0 in the detection process. Can this additional time be 
traded off for less detector complexity? Unfortunately, for 
the unrestricted case, the answer is no. In fact, if (S,U) 
is (D 1 , n) -diagnosable then we can construct a detector D, 
essentially by eliminating unnecessary states of D', such 
that (S,U) is (D, 0) -diagnosable. 

Before stating this result formally, it is convenient to 
establish the- following important lemma. 
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Lemma 2 : If (S,U) is (D 1 ,n) -diagnosable then there exists a 

detector D with no more states than D 1 such that (S,U) is 
(D,n) -diagnosable and/ for each qe /X^(Q/ (z,a)) = 0 for 

some (z,a) e Z x I. 

Proof : Assume that (S/U) is (D * ,n) -diagnosable and construct 

D from D' as follows: 

1) Delete from the state table of D' any row corresponding 
to a state q for which 

0 t {^ D . (q, (z,a) ) | (z,a) e Z x 1} . 

2) In the resulting table, replace every reference to 
the deleted state with a reference to an arbitrary remaining 
state, and set the corresponding output to 1. 

3) Repeat steps 1) and 2) until no further deletions are 
possible. 

Since |Q D , | < “ the above algorithm will terminate in a 
finite number of iterations. 

From the nature of the above construction it is clear 
that | Q d | £ |Q d , | and for each q e Q D ,X D (q, (z,a)) = 0 for 
some <z,a) e Z xl. It only remains to be shown that (S,U) is 
(D ,n) -diagnosable. 

If the detector D’ is in a state q for which 
0 i {X D ,(q, (z ,a) ) | (z ,a) e Z xl}, then an error must have 
occurred because if D' is in q then an error detection signal 
will be emitted regardless of the input to D 1 . Hence this 
error could be signaled whenever a transition to q is indicated, 
and there would be no loss in diagnosis and no possibility for 
a false alarm. Since all minimal errors which q signaled 
would then be signaled before D' got/ to state q', q' could be 
eliminated. This is the essence of what is accomplished in 
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steps 1) and 2) . This elimination process is necessarily 
iterative because step 2) may introduce new states to be 
deleted. Since this construction is diagnosis preserving, (S,U) 
is (D,n) -diagnosable , thereby proving the lemma. 

Theorem 3 : If (S,U) is (D ' ,n) -diagnosable then there exists 

a detector D with no more states than D' such that (S,U) is 
(D, 0) -diagnosable. 

Proof : Assume that (S,U) is (D ' ,n) -diagnosable . By 

Lemma 2,r there exists a detector D with no more states than D' 
such that (S,U) is (D,n) -diagnosable and, for each 
q e Q d , X D (q/ (z,a)) = 0, for some (z,a) e Z x i. 

Claim : (S,U) is (D , 0 ) -diagnosable. 

Assume, to the contrary, that (S,U) is not (D,0)- 
diagnosable. Using induction on the delay of the diagnosis, 
we will deduce that (S,U) is not (D,m) -diagnosable for all 
m j> 0. This will establish the" result for it contradicts 
the hypothesis that (S,U) is (D,n) -diagnosable. 

If m = 0, then by the above assumption, (S,U) is not (D,m) 
diagnosable. Let us assume, then, that (S,U) is not (D ,m) -diagnos- 
able for some m 0, and show that this implies (S,U) is (D,m+1)- 
diagnosable. Since (S,U) is not (D,m) -diagnosable, there exists 
a minimal error (r,x,y) caused by f e U and a sequence 

w £ I + with | w| = m such that ( [ (3 f (xw) ,x w] ) = Let 

r r 

6 D (P D ( r ) / tS r f 1 ) - s * Let (z,a) e Z x i such that 
A n {s,(z,a)) = 0. By Lemma 2 we know that such a (z,a) exists. 

U . ~f» ( A.f 

Let f' be a fault for which 6 (xwa) = B (xw)z. Then 

a£ • ^ 5 f 1 I xwa t 

(r,x,3 (x) ) is a minimal error but 3 (C3 r (xwa), xwa]) = o • 

Hence (S,U) is not (D,m+1) -diagnosable. Therefore, (S,U) is 

not (D, 0) -diagnosable implies (S,U) is not (D,m) -diagnosable 

for all m 0. 

But we know that (S,U) is (D,n) -diagnosable. Hence 
(S,U) is (D, 0) -diagnosable. This establishes the result. 
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Corollary 3.1 : If ( T S, U) is (D,n) -diagnosable then the 

detector D has at least as many states as the specification 
S of S. 

Proof : This is an immediate consequence of Theorems; 2 and 3. 


IV. DIAGNOSIS USING INVERSE MACHINES 


Let us now consider the use of inverse machines for 
the diagnosis of unrestricted faults. An ( I, n) -delay machine 
(delay machine) is a machine S n = (I , I n , I , 6 , A ,R, p) such that if 
a^ e I, 1 < i < n+1, then 

5 ( (a 1 , . . . ,a n ) , a n+1 ) = (a 2 , . . . ,a n+1 ) 

and A ( (a^, ... , a^) , = 

thus, an (I, n) -delay machine simply deplays its input for n 
time steps. Stated more precisely, if S n is an (I ,n) -delay 
machine then 


• ® (a^, . . . ,a n ) ^ a n+l' * * * ' a n+m^ a m 

Let S and S be two machines such that R = R and 
Z = I Then S is an (n-delayed ) inverse of S if there 
exists an (I, n) -delay machine S n with reset alphabet R such 
that for all r e R and x e I + 
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ej(x). 

Machines for which inverses exist can be easily 

characterized. Intuitively, such machines lose no information 

as they transform input sequences into output sequences. A 

machine S is information lossless of delay d if for all 

r e R and a,a v ..a , b 1 b„...b„ e I + (a.,b. £ I, 1 < i < n) 

12 n 12 n li — — 


e r (e r (x)) = 


S r ( a i a 2 a n ) = ^r^ b l b 2*" b n* im P lies a ± = b i 

for 1 <_ i <_ n-d. 

The basic relationship between information losslessness 
and inverses is given by the following theorem (see LlO] , for example) 

Theorem 4 : S has an n-delayed "inverse if and only if S is 

information lossless of delay n. 

Information lossless machines and inverse machines were 
first introduced by Huffman [9]. He devised a test for infor- 
mation losslessness and for the existence of inverses. It 
should be pointed out that our definition of. these notions are 
oriented towards their use in diagnosis and that they vary 
slightly from Huffman's definitions. 

Even [10] later devised a better means of determining 
information losslessness and he presented two means for 
obtaining inverses of information lossless machines. Kohavi 
and Laval lee [11] have shown that any machine can be realized 
by an information lossless machine. 

We now state the basic result relating the use of lossless 
inverses with the diagnosis of unrestricted faults. 

Theorem 5 ; Let S be a lossless machine and let S be an 
n-delayed inverse of S. Let D be constructed from S, the 
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(I,n) -delay machine which demonstrates that S is an n-delayed 
inverse of S, and an Exclusive-OR gate as shown in Fig. 6. 

If j; is lossless of delay d then (S,U) is (D,d) -diagnosable. 

Proof : Since ]3 r (B r (x)) = g”(x), there will be no false alarms. 

Let (r f x,y) be a minimal error caused by a fault f e U. 

Then B^(x) = g (x) . Let w s I* with |w| = d. Since S is 
lossless of delay d, B r (B^(xw))^ B r (B r (xw)). The Exclusive-OR 
gate will detect this inequality, and hence the minimal error 
will be detected within d time steps of its occurrence. 

Therefore, (S,U) is (D,d) -diagnosable. 

Example 1 ; Consider the reduced and reachable machines 
and S 1 given by the state tables in Fig. 7 and Fig. 8. The 
last column in these state tables specifies the reset alphabet 
and function. is a 2-delayed inverse of S 1 and S^ is 

itself information lossless of delay 2. Thus a detector 
for which (S^,U) is (D^ , 2) -diagnosable can be constructed 
using the inverse of S^. 

It is interesting to note that although has fewer 
states than has- more states than S ^ . - This is because 

there is an (1^,2) -delay machine in D^, in addition to the 
inverse S^. It is also worth pointing out that the delay in diagnosis 

using an inverse machine is not the delay of losslessness of the 
machine being diagnosed but rather of its inverse. Thus an 
n-delayed inverse can be used to achieve diagnosis without 
delay if it is lossless of delay 0. 

The following example shows that the converse of Theorem 5 
does 'not hold. Namely, it is possible to diagnose the 
unrestricted faults of a machine using an inverse which is not 
lossless. However, not all inverses can be used for the diag- 
nosis of unrestricted faults. The complete characterization 
of inverses which can be used for unrestricted fault diagnosis 
is still an open problem. 
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Example 2 ; Consider the reduced and reachable machines S 2 
and S 2 given by the state tables in Fig. 8 and Fig. 9. 

S 2 is a 0-delayed inverse of S 2 and it can be used to construct 
a detector D 2 such that (S 2 /U) is (D 2 , 0) -diagnosable. However, 

S 2 is not lossless. 

In conclusion, it is interesting to note that results 
established in this and the preceding section have something to 
say about lossless machines, per se. Let S be reduced, reachable, 
and lossless of delay d machine. Let S be a lossless inverse of S. 
We have seen in Example 1 that such an inverse can have fewer states 
than the machine of which it is an inverse. In the following result 
we will give a lower bound on the state set size of S in terms of 
state set size of S, the delay d of S, and the input alphabet size 
of S. This result, which deals only with lossless and inverse 
machines is proved using Corollary 3.1 and Theorem 5, results 
concerning the diagnosis of unrestricted faults. 

Theorem 6 ; Let S be reduced, reachable, and lossless of 
delay d. Let S be a lossless d-delayed inverse of S. Then 


Proof : Consider S and S in the configuration of Fig. 6. 

Since J5 is lossless, by Theorem 5, (S,U) is (D,n) -diagnosable 

for some n. Now by Corollary 3.1 J Q | | | . Since 

Q D = Q * I d , lQ D l = |Q| |i| d 

Thus 

|Q| i |0||l| d or -iSl < | Q | . 

I I I 
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FIGURE CAPTIONS 


Fig. 1. 

A discrete- time system. 


Fig. 2. 

S realizes S under (g,h,k) . 


Fig. 3. 

The result of fault f = (S',T f 0-) 

of S 

Fig. 4. 

Diagnosis of (S,F) using the detector 

D. 

Fig. 5. 

Diagnosis via duplication in the detector. 

Fig. 6. 

Diagnosis using an inverse system. 


Fig. 7. 

State table of S^. 


Fig. 8. 

State table of S^. 


Fig. 9. 

State table of S^. 


Fig. 10. 

State table of S^ . 



